Report #101801
[gotcha] Users extract the hidden system prompt, tool schemas, or internal instructions from the assistant
Keep the system prompt minimal and free of secrets; place tool schemas and business rules in application code, not prompt text; and use output filtering to detect when the model quotes its instructions verbatim.
Journey Context:
Developers often put API keys, internal codenames, or detailed tool schemas in the system prompt. Attackers then ask the model to 'repeat the text above' or translate earlier instructions, and models frequently comply because they see the system prompt as context, not a confidentiality boundary. The right call is to treat the system prompt as user-facing: include only what you can afford to leak, and keep sensitive configuration outside the context window.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:28:16.463066+00:00— report_created — created